| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 7 (11.1.7) Part Number E21032-21 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 7 (11.1.7) Part Number E21032-21 |
|
|
PDF · Mobi · ePub |
This chapter describes and illustrates the enterprise deployment reference topologies described in this guide and helps you plan your deployment.
The key to a successful Enterprise Deployment is planning and preparation. The road map for installation and configuration in this chapter directs you to the appropriate chapters for the tasks you need to perform. Use this chapter to help you plan your Oracle Identity Management enterprise deployment.
This chapter contains the following topics:
Section 2.1, "Overview of Enterprise Deployment Reference Topologies"
Section 2.2, "Hardware Requirements for an Enterprise Deployment"
Section 2.3, "Software Components Installed as Part of the Provisioning Process"
Section 2.4, "Road Map for the Reference Topology Installation and Configuration"
This section describes diagrams used to illustrate the enterprise deployment possibilities described in this guide. Use this section to plan your enterprise deployment topology.
This section covers these topics:
Oracle Identity Management consists of a number of products, which can be used either individually or collectively. The Enterprise Deployment Guide for Identity Management (Fusion Applications Edition) enables you to build two different enterprise topologies for Fusion Applications.
In the diagrams, active nodes are shown in color, and passive nodes are shown in white.
See Also:
The supported platforms documentation for Oracle Fusion Applications.
This section contains the following topologies:
Section 2.1.1.1, "Oracle Access Manager 11g and Oracle Identity Manager 11g for Fusion Applications"
Section 2.1.1.2, "Oracle Identity Federation 11g for Fusion Applications"
Figure 2-1 is a diagram of the Oracle Access Manager 11g and Oracle Identity Manager 11g topology. This is the topology that the vast majority of customers will use. It enables you to add Identity Management functionality to Oracle Applications deployments.
Oracle Access Manager enables your users to seamlessly gain access to web applications and other IT resources across your enterprise. It provides a centralized and automated single sign-on (SSO) solution, which includes an extensible set of authentication methods and the ability to define workflows around them. It also contains an authorization engine, which grants or denies access to particular resources based on properties of the user requesting access as well as based on the environment from which the request is made. Comprehensive policy management, auditing, and integration with other components of your IT infrastructure enrich this core functionality.
This topology will not service federated requests. If you want to use Oracle Identity Federation as well, then, in addition to this topology, you must also deploy a separate federated topology similar to that shown in Section 2.1.1.2, "Oracle Identity Federation 11g for Fusion Applications."
Figure 2-1 Oracle Access Manager 11g and Oracle Identity Manager 11g Topology for Fusion Applications
This figure is a graphical representation of the enterprise topology. It includes icons and symbols that represent the hardware load balancer, host computers, firewalls, and other elements of the topology. At a high level, it shows the main components of the topology, including the following:
The Load Balancer: The load balancer receives user requests on Port 80 (HTTP) and Port 443 (HTTPS), strips out the SSL where appropriate and passes the requests onto the Oracle HTTP servers using Port 7777.
The Web Tier: There are two WebLogic servers, each of which hosts an Oracle HTTP Server and Oracle WebGate.
The Application Tier: There are two servers, IDMHOST1 and IDMHOST2. Requests are received from the Web Tier. Each server contains managed servers for the following products:
Oracle Access Manager, which hosts the Access Server
Oracle Identity Manager, which hosts an OIM Server and corresponding JRF/OPSS processes
SOA, which hosts a SOA Server and corresponding JRF/OPSS processes
IDMHOST1 also contains the WebLogic Administration Server, which hosts the WebLogic Console, Enterprise Manager Fusion Middleware Control, OAM Console, and ODSM (for Oracle Internet Directory and Oracle Virtual Directory). In the event of the failure of IDMHOST1, the WebLogic Administration Server can be started on IDMHOST2.
The Directory Tier: There are two hosts, LDAPHOST1 and LDAPHOST2. These hosts contain the Oracle Internet Directory instances.
This is also where the databases reside. These contain the Oracle Internet Directory schemas, customer data, and the schemas required by the application tier products.
The Load Balancer: Inside the demilitarized zone (DMZ) is a load balancer which directs requests received on SSO.mycompany.com, ADMIN.mycompany.com and IDMINTERNAL.mycompany.com and directs requests to the Oracle HTTP servers. In the case of SSO.mycompany.com, requests are SSL encrypted. This is terminated at the load balancer. ADMIN.mycompany.com and IDMINTERNAL.mycompany.com handle requests using the HTTP protocol.
In addition, the load balancer distributes LDAP requests among the Oracle Unified Directory instances on IDMHOST1 and IDMHOST2, using the load balancer virtual host IDSTORE.mycompany.com
Firewalls: These are used to separate the Web, Application, and Directory tiers into different zones. WEBHOST1 and WEBHOST2 reside in the DMZ.
For more information, refer to the descriptions of the topology tiers in the sections that follow the diagrams. The instructions in this guide describe how to install and configure the software for this topology.
Figure 2-2 is a diagram of the Oracle Identity Federation 11g topology for Fusion Applications. This topology is only relevant to users who are deploying Oracle Identity Federation. An enterprise deployment containing Oracle Identity Federation can only be used for that purpose. That is, it cannot be used to service both federated and non-federated requests.
This topology is similar to the one shown in Figure 2-1. It differs from that figure in that the IDMHOSTs in the Application Tier include the additional product, Oracle Identity Federation.
The Directory Tier is in the Intranet Zone. The Directory Tier is the deployment tier where all the LDAP services reside. This tier includes products such as Oracle Internet Directory and Oracle Virtual Directory. The Directory Tier is managed by directory administrators providing enterprise LDAP service support.
The Directory Tier is closely tied with the Data Tier. Access to the Data Tier is important for the following reasons:
Oracle Internet Directory relies on Oracle Database as its back end.
Oracle Virtual Directory provides virtualization support for other LDAP services or databases or both.
In some cases, the Directory Tier and Data Tier might be managed by the same group of administrators. In many enterprises, however, database administrators own the Data Tier while directory administrators own the Directory Tier.
Typically protected by firewalls, applications above the Directory Tier access LDAP services through a designated LDAP host port. The standard LDAP port is 389 for the non-SSL port and 636 for the SSL port. LDAP services are often used for white pages lookup by clients such as email clients in the intranet. The ports 389 and 636 on the load balancer are typically redirected to the non-privileged ports used by the individual directory instances.
The Directory Tier stores two types of information:
Identity Information: Information about users and groups
Oracle Platform Security Services (OPSS): Information about security policies and about configuration.
Extending the domain to include Oracle Internet Directory includes the following steps:
Configure two instances of Oracle Internet Directory by using the Oracle Identity Management 11g Configuration Wizard
Register the instances with the WebLogic Server Domain (IDMDomain).
Validate the instances
Tune Oracle Internet Directory
Although the topology diagrams do not show LDAP directories other than Oracle Internet Directory, you can use Microsoft Active Directory to store identity information. You must always store policy information in Oracle Internet Directory. You may store identity information in Oracle Internet Directory or in another directory.
If you store the Identity details in a directory other than Oracle Internet Directory, you can use Oracle Virtual Directory to present that information
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite describes how to configure Oracle Virtual Directory for two multidirectory scenarios.
A split profile, or split directory configuration, is one where identity data is stored in multiple directories, possibly in different locations. A split profile is used to store custom attributes required for Fusion Application Deployment. Use this kind of deployment when you do not want to modify the existing Identity Store by extending the schema. In that case, deploy a new Oracle Internet Directory instance to store the extended attributes. Alternatively, you can use the Oracle Internet Directory instance deployed for Policy Store for this purpose.
Another multidirectory scenario is one where you have distinct user and group populations. In this configuration, Oracle-specific entries and attributes are stored in Oracle Internet Directory. Enterprise-specific entries that might have Fusion Applications-specific attributes are stored in Active Directory.
In both multidirectory scenarios, you use Oracle Virtual Directory to present all the identity data in a single consolidated view that Oracle Identity Management components can interpret.
Although you can use a single Oracle Internet Directory instance for storing both the identity and policy information, in some cases you might need to use two separate Oracle Internet Directory installations, one for the Policy Store and another for Identity Store. For example, this might be necessary due to throughput or enterprise directory requirements. You might also need to use separate Oracle Internet Directory installations if you have a shared Identity Management deployment with multiple Oracle Fusion Applications pods pointing to it.
If your policy store is in a separate Oracle Internet Directory instance, this instance is created on the same host as the Oracle Internet Directory instance used for identity information, although it will use a different database to hold its information. As a result, the Oracle Internet Directory containing policy information will use different ports from those used by the primary Oracle Internet Directory.
If you intend to separate your identity and policy information, you must create two separate clusters of highly available Oracle Internet Directory. These Oracle Internet Directory clusters can share the same machines but they should use separate Real Application Clusters databases as their data store.
If you are using Oracle Internet Directory exclusively, you do not need to use Oracle Virtual Directory.
This guide assumes that you are creating two virtual names: one for your Policy Store (POLICYSTORE.mycompany.com) and one for your Identity Store (IDSTORE.mycompany.com). When using a single Oracle Internet Directory for both your identity and policy information, you can either create two virtual host names, both pointing to the same directory, or combine them into a single suitable virtual host name in the load balancer.
If you are using Oracle Internet Directory as your Identity Store, you can configure it to use multimaster replication as described in the Oracle Fusion Middleware High Availability Guide chapter Configuring Identity Management for Maximum High Availability. This enables you to maintain the same naming contexts on multiple directory servers. It can improve performance by providing more servers to handle queries and by bringing the data closer to the client. It improves reliability by eliminating risks associated with a single point of failure.
By default, Oracle Internet Directory passwords expire in 120 days. Users who do not reset their passwords before expiration can no longer authenticate to Oracle Internet Directory. This includes administrative users, such as oamadmin. Your Identity Management environment cannot work properly unless these users can authenticate. See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information about changing Oracle Internet Directory password policies.
The enterprise deployment described in this guide shows Oracle Access Manager using Oracle Internet Directory as the only LDAP repository. Oracle Access Manager uses a single LDAP for policy and configuration data. It is possible to configure another LDAP as the Identity Store where users, organizations and groups reside. For example, an Oracle Access Manager instance may use Oracle Internet Directory as its policy and configuration store and point to an instance of Microsoft Active Directory for users and groups.
In addition, the Identity Stores can potentially be front-ended by Oracle Virtual Directory to virtualize the data sources.
To learn more about the different types of directory configuration for Oracle Access Manager, consult the 11g Oracle Access Manager documentation at Oracle Technology Network. Customers considering these variations should adjust their Directory Tier and Oracle Access Manager deployment accordingly.
Oracle Internet Directory Instances are active/active deployments.
Oracle Virtual Directory Instances are active/active deployments.
If the Oracle Internet Directory fails on the LDAPHOST, Oracle Process Management and Notification (OPMN) server attempts to restart it.
If the Oracle Virtual Directory fails on the LDAPHOST, Oracle Process Management and Notification (OPMN) server attempts to restart it.
The Application Tier is the tier where Java EE applications are deployed. Products such as Oracle Identity Manager, Oracle Identity Federation, Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control are the key Java EE components that can be deployed in this tier. Applications in this tier benefit from the High Availability support of Oracle WebLogic Server.
The Identity Management applications in the Application Tier interact with the Directory Tier as follows:
They leverage the Directory Tier for enterprise identity information.
In some cases, they leverage the Directory Tier (and sometimes the database in the Data Tier) for application metadata.
Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager are administration tools that provide administrative functionalities to the components in the Application Tier as well as the Directory Tier.
WebLogic Server has built-in web server support. If enabled, the HTTP listener exists in the Application Tier as well. However, for the enterprise deployment shown in Figure 1-1, customers have a separate Web Tier relying on web servers such as Apache or Oracle HTTP Server.
In the Application Tier:
IDMHOST1 and IDMHOST2 have the WebLogic Server with the Administration Console, Oracle Enterprise Manager Fusion Middleware Control, Oracle Directory Services Manager, Oracle Identity Federation, and Oracle Access Management Server configured. IDMHOST1 and IDMHOST2 run both the WebLogic Server Administration Servers and Managed Servers. Note that the Administration Server is configured to be active-passive, that is, although it is installed on both nodes, only one instance is active at any time. If the active instance goes down, then the passive instance starts up and becomes the active instance.
The Oracle Access Management Server communicates with the Directory Tier to verify user information.
On the firewall protecting the Application Tier, the HTTP ports, and OAP port are open. The OAP (Oracle Access Protocol) port is for the WebGate module running in Oracle HTTP Server in the Web Tier to communicate with Oracle Access Manager to perform operations such as user authentication.
In the OAM and OIM topology, IDMHOST1 and IDMHOST2 have Oracle Identity Manager and Oracle SOA installed. Oracle Identity Manager is user provisioning application. Oracle SOA deployed in this topology is exclusively used for providing workflow functionality for Oracle Identity Manager.
Oracle Enterprise Manager Fusion Middleware Control is integrated with Oracle Access Manager using the Oracle Platform Security Services (OPSS) agent.
The Oracle WebLogic Server console, Oracle Enterprise Manager Fusion Middleware Control, and Oracle Access Management console are always bound to the listen address of the Administration Server.
The WebLogic administration server is a singleton service. It runs on only one node at a time. In the event of failure, it is restarted on a surviving node.
The WLS_ODS1 Managed Server on IDMHOST1 and WLS_ODS2 Managed Server on IDMHOST2 are in a cluster and the Oracle Directory Services Manager applications are targeted to the cluster.
The WLS_OAM1 Managed Server on IDMHOST1 and WLS_OAM2 Managed Server on IDMHOST2 are in a cluster and the Oracle Access Manager applications are targeted to the cluster.
Oracle Directory Services Manager are bound to the listen addresses of the WLS_ODS1 and WLS_ODS2 Managed Servers. By default, the listen address for these Managed Servers is set to IDMHOST1 and IDMHOST2 respectively.
The WLS_OIM1 Managed Server on IDMHOST1 and WLS_OIM2 Managed Server on IDMHOST2 are in a cluster and the Oracle Identity Manager applications are targeted to the cluster.
The WLS_SOA1 Managed Server on IDMHOST1 and WLS_SOA2 Managed Server on IDMHOST2 are in a cluster and the Oracle SOA applications are targeted to the cluster
The WLS_OIF1 Managed Server on IDMHOST1 and WLS_OIF2 Managed Server on IDMHOST2 are in a cluster and the Oracle Identity Federation applications are targeted to the cluster.
The OAM Servers are active-active deployments.
Oracle Access Manager, Oracle Identity Manager, and SOA are active-active deployments; these servers communicate with the Data Tier at run time.
The WebLogic Administration Server and Oracle Enterprise Manager deployment is active-passive (where other components are active-active). There is one Administration Server per domain.
The Identity Federation Servers are active-active deployments; the Oracle Identity Federation Server may communicate with the Data Tier at run time.
The WebLogic Administration Server is a singleton component deployed in an active-passive configuration. If the primary fails or the Administration Server on IDMHOST1 does not start, the Administration Server on the secondary host can be started. If a WebLogic managed server fails, the node manager running on that host attempts to restart it.
Oracle WebLogic Server Console, Oracle Enterprise Manager Fusion Middleware Control console, and Oracle Access Manager Console are only accessible through a virtual host configured on the load balancer, which is only available inside the firewall.
A domain is the basic administration unit for WebLogic Server instances. A domain consists of one or more WebLogic Server instances (and their associated resources) that you manage with a single Administration Server. You can define multiple domains based on different system administrators' responsibilities, application boundaries, or geographical locations of servers. Conversely, you can use a single domain to centralize all WebLogic Server administration activities.
The Web Tier is in the DMZ Public Zone. The HTTP Servers are deployed in the Web Tier.
Most of the Identity Management components can function without the Web Tier, but for most enterprise deployments, the Web Tier is desirable. To support enterprise level single sign-on using products such as Oracle Single Sign-On and Oracle Access Manager, the Web Tier is required.
In the Web Tier:
WEBHOST1 and WEBHOST2 have Oracle HTTP Server, WebGate (an Access Manager component), and the mod_wl_ohs plug-in module installed. The mod_wl_ohs plug-in module enables requests to be proxied from Oracle HTTP Server to a WebLogic Server running in the Application Tier.
WebGate (an Access Manager component) in Oracle HTTP Server uses Oracle Access Protocol (OAP) to communicate with Oracle Access Manager running on IDMHOST1 and IDMHOST2, in the Identity Management DMZ. WebGate and Oracle Access Manager are used to perform operations such as user authentication.
On the firewall protecting the Web Tier, the HTTP ports are 443 (HTTP_SSL_PORT) for HTTPS and 80 (HTTP_PORT) for HTTP. Port 443 is open.
Oracle HTTP Servers on WEBHOST1 and WEBHOST2 are configured with mod_wl_ohs, and proxy requests for the Oracle Enterprise Manager, and Oracle Directory Services Manager Java EE applications deployed in WebLogic Server on IDMHOST1 and IDMHOST2.
If the Oracle HTTP server fails on the WEBHOST, Oracle Process Management and Notification (OPMN) server attempts to restart it.
The Oracle HTTP Servers process requests received using the URLs SSO.mycompany.com and ADMIN.mycompany.com. The name ADMIN.mycompany.com is only resolvable inside the firewall. This prevents access to sensitive resources such as the Oracle WebLogic Server console and Oracle Enterprise Manager Fusion Middleware Control console from the public domain.
The minimum hardware requirements for the Enterprise Deployment on Linux operating systems are listed in Table 2-1. The memory figures represent the physical memory required to install and run an Oracle Fusion Middleware server.
For detailed requirements, or for requirements for other platforms, see the Oracle Fusion Middleware System Requirements and Specifications. Also see the Technical Release Notes for Oracle Fusion Applications 11g Release 7 (11.1.7), especially the sections with titles such as "System Requirements" and "Pre-Installation Known Issues."
Table 2-1 Typical Hardware Requirements
| Server | Processor | Disk | Memory | TMP Directory | Swap |
|---|---|---|---|---|---|
|
|
4 or more X Pentium 1.5 GHz or greater |
nXm n=Number of disks, at least 4 (striped as one disk). m=Size of the disk (minimum of 30 GB) |
6-16 GB |
Default |
Default |
|
WEBHOST |
2 or more X Pentium 1.5 GHz or greater |
40 GB |
4 GB |
Default |
Default |
|
IDMHOST |
4 or more X Pentium 1.5 GHz or greater |
30 GB |
16 GB |
Default |
Default |
|
LDAPHOST |
2 or more X Pentium 1.5 GHz or greater |
30 GB |
4 GB |
Default |
Default |
These are the typical hardware requirements. For each tier, carefully consider the load, throughput, response time and other requirements to plan the actual capacity required. The number of nodes, CPUs, and memory required can vary for each tier based on the deployment profile.Production requirements may vary depending on applications and the number of users.
The Enterprise Deployment configurations described in this guide use two servers for each tier to provide failover capability; however, this does not presume adequate computing resources for any application or user population. If the system workload increases such that performance is degraded, you can add servers to the configuration by following the instructions in Chapter 15, "Scaling Enterprise Deployments."
Note:
Oracle recommends configuring all nodes in the topology identically with respect to operating system levels, patch levels, user accounts, and user groups.
Table 2-2, "Software Versions Used" lists the Oracle software you need to obtain before starting the procedures in this guide.
For complete information about downloading Oracle Fusion Middleware software, see Section 6.1.2, "Software to Install" and the "Preparing for an Installation" chapter in Oracle Fusion Applications Installation Guide.
Table 2-2 Software Versions Used
| Short Name | Product | Version |
|---|---|---|
|
OHS11G |
Oracle HTTP Server |
11.1.1.7.0 |
|
JRockit |
Oracle JRockit |
JDK 6 (jrockit 1.6.0_37-b06 or newer) |
|
WLS |
Oracle WebLogic Server |
10.3.6.0 |
|
IAM |
Oracle Identity and Access Management |
11.1.1.7.0 |
|
SOA |
Oracle SOA Suite |
11.1.1.7.0 |
|
IDM |
Oracle Identity Management |
11.1.1.7.0 |
|
WebGate |
WebGate 11g |
11.1.1.7.0 |
|
RCU |
Repository Creation Assistant |
11.1.1.7.0 |
In this current release of the Guide, the configuration of the enterprise deployment topology is largely automatic.
Configuration is performed by using the Oracle Identity Management Provisioning Wizard to create a response file, then using the Identity Management Provisioning Tools to perform the provision process.
There are two main phases:
Information Gathering Phase - This is where the wizard collects information about your target environment.
Provisioning Phase - This is where the tool takes the information gleaned in the Information Gathering Phase and creates the deployment, installing and configuring all of the software required.
See Also:
The Oracle Fusion Middleware 11g Release 1 Download, Installation, and Configuration Readme for this release, at: http://docs.oracle.com/cd/E23104_01/download_readme.htm
Figure 2-3, "Flow Chart of the Oracle Identity Management Enterprise Deployment Process for Oracle Fusion Applications" provides a flow chart of the Oracle Identity Management enterprise deployment process. Review this chart to become familiar with the steps that you must follow, based on the existing environment.
Table 2-3 describes each of the steps in the enterprise deployment process flow chart for Oracle Identity Management, shown in Figure 2-3. The table also provides information on where to obtain more information about each step in the process.
Table 2-3 Steps in the Oracle Identity Management Enterprise Deployment Process
| Step | Description | More Information |
|---|---|---|
|
Prepare your Network for Enterprise Deployment |
To prepare your network for an enterprise deployment, understand concepts, such as virtual server names and IPs and virtual IPs, and configure your load balancer by defining virtual host names. |
Chapter 3, "Preparing the Network for an Enterprise Deployment" |
|
Prepare your File System for Enterprise Deployment |
To prepare your file system for an enterprise deployment, review the terminology for directories and directory environment variables, and configure shared storage. |
|
|
Prepare your Servers for Enterprise Deployment |
To prepare your servers for an enterprise deployment, ensure that your servers meet hardware and software requirements, enable Unicode support and Virtual IP Addresses, mount shared storage, configure users and groups, and, if necessary, install software onto multihomed systems. |
Chapter 5, "Preparing the Servers for an Enterprise Deployment" |
|
Prepare your Database for Enterprise Deployment |
To prepare your database for an enterprise deployment, review database requirements, create database services, load the metadata repository, in the Oracle RAC database, configure Identity Management schemas for transactional recovery privileges, and back up the database. |
Chapter 7, "Preparing the Database for an Enterprise Deployment" |
|
Prepare for Provisioning |
Perform prerequisite tasks. |
|
|
Create a Provisioning Profile |
Run the Oracle Identity Management Provisioning Wizard to create a provisioning profile |
|
|
Provision Identity Management |
Run the provisioning commands on the host machines, using the provisioning profile as input. |
|
|
Perform Post-Provisioning Configuration |
Perform additional configuration. |
|
|
Enable Oracle Identity Federation? |
Enable and start Oracle Identity Configuration |
|
|
Set up Node Manager |
Set up Node manager by enabling host name verification, starting Node Manager, and configuring WebLogic Servers to use custom keystores. |
Chapter 12, "Setting Up Node Manager for an Enterprise Deployment" |
|
Configure Server Migration |
Configure server migration for the WLS_OIM1, WLS_SOA1, WLS_OIM2, and WLS_SOA2 Managed Servers. Configure the WLS_OIM1 and WLS_SOA1 Managed Server to restart on IDMHOST2 if a failure occurs. Configure the WLS_OIM2 and WLS_SOA2 Managed Servers to restart on IDMHOST1 if a failure occurs. |
Chapter 13, "Configuring Server Migration for an Enterprise Deployment" |
|
Validate Provisioning |
Perform additional sanity checks, in addition to those provided by the provisioning process. |
|
|
 Copyright © 2004, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
